[pmwiki-users] Mailpost strangeness in 1.0.13
Peter Brink
peter.brink at brinkdata.se
Sun Mar 20 06:59:45 CST 2005
Ok. I have not upgraded to 2.* so I don't know if this little oddity is
fixed in the later versions of PmWiki but anyways...
Someone, who uses the username "sex pictures", is trying to edit
PmWiki.PmWiki at my site. My site is world read-only and one needs to
have a admin or editor password to edit. The PmWiki group can only be
edited by admin. Obviously the attempt to edit fails and nothing shows
up in the page history or on Main.RecentChanges. However, I use mailpost
to send a mail notification of all new posts and the mailpost script
sends an notification of the post as if it had succeeded. I note that
mailpost.php (line 59 ff) does not test for authorization as HandleEdit
or HandlePost in pmwiki.php does. I'm *guessing* that the lack of test
for authorization in mailpost.php is the reason for the failed edit
being "broadcasted". Since no bad content is being added (or
broadcasted) this is more an annoying problem than a serious one, but
I'd like to solve it.
If I changed line 59 - 69 in mailpost.php from:
if ($action=='post' || @$_POST['post']) {
Lock(2);
$fp = @fopen($MailPostsFile,"a");
if ($fp) {
$PostTime = strftime($MailPostsTimeFmt,$Now);
fputs($fp,str_replace("\n",$Newline,
FmtPageName("$Now $MailPostsItemFmt",$pagename))."\n");
fclose($fp);
}
Lock(0);
}
to:
if ($action=='post' || @$_POST['post']) {
Lock(2);
$page = RetrieveAuthPage($pagename,"edit");
if (!$page) {
return;
}
else {
$fp = @fopen($MailPostsFile,"a");
if ($fp) {
$PostTime = strftime($MailPostsTimeFmt,$Now);
fputs($fp,str_replace("\n",$Newline,
FmtPageName("$Now $MailPostsItemFmt",$pagename))."\n");
fclose($fp);
}
}
Lock(0);
}
would that be enough to solve the problem?
/Peter
More information about the pmwiki-users
mailing list